For schools, the biggest changes are centered around the need to appoint a Data Protection Officer - someone who will take on responsibility for all data handling and management. The rules and regulations around data handling are very specific, and it is important that the Data Protection Officer your school appoints is both aware and on top of the requirements. The Data Protection Officer’s responsibilities will include reporting any data breaches as soon as they are discovered - if not reported within 72 hours of discovery, penalties of up to €20m or 4% of global revenue, whichever is the larger sum, are possible.
All relationships with 3rd party suppliers will need to be carefully monitored. The responsibility lies with the school, as the data controller, to ensure that all external suppliers that handle data are fully compliant with GDPR. This includes everything from catering services to software providers; if it contains any data from the school, the school needs to be sure that they are compliant. This will need to be documented in a formal contract/SLA for every supplier, detailing how all data is stored and processed.
One other important change is to the rights of the data subjects themselves. All subjects can request to see every source that their data is shared with, as well as exercise their ‘right to be forgotten’ - a regulation that allows any data subject, be they former pupils, parents, staff, governors or anyone else associated with the school to request that their information be removed from the school databases.
Crucially, the Data Protection Officer, and all others associated with the handling of the school’s data, must be able to produce a clear audit trail for all uses, with evidence of acting within the GDPR. The deadline for compliance is May 2018, and schools need to ensure that they are ready in advance.
Groupcall are hosting CPD certified training sessions with our own Data Protection Officer to help bring schools up to date on achieving compliance. Find out more about attending your nearest training session below for specialist advice and guidance on achieving compliance.
Groupcall are operating in partnership with GDPR in Schools (GDPRiS) to provide an all-in-one compliance monitoring solution that encompasses, data movement, training records, incident management, auditing and more. To find out more about how Groupcall and GDPRiS can help you achieve compliance, request more information.